WebDeveloperInformation

If you are a web developer, and have access to a mod_openpgp enabled Apache Server, then you will find this information interesting (or at least, useful!).

Enigform is a Firefox extension that, basicly, adds headers to an outgoing HTTP request. This outgoing request becomes an "OpenPGP Signed Request". A request is signed by Enigform when:

A Secure Session request (Initiation/Finalization) is sent.

The current request belongs to a site for which a session exists.

The current request has ##ENIGFORM_Sign## appended at the end of the URL.

When such a signed request is received by mod_openpgp, it gets processed accordingly. This means the headers and body of the request are analyzed and verified and/or acted upon. The results of these verifications (status of signature, session, etc) are appended to another set of headers. These second set of headers are checked for spoofing. That means no client can append them arbitrarily to a request.

Let's analyze those two sets of headers. First, the headers added by Enigform. Second, the headers added by mod_openpgp.

Enigform-added Headers

X-OpenPGP-Type = S

This means the request is Signed. In the future, "E" for Encrypted and "SE" for both Signed and Encrypted will be supported.

X-OpenPGP-Sig-Fields = body,session

This states which elements are signed, and in what order they were submitted to the OpenPGP application. As you can see, only the "body" of the request was signed. In the example, the body is the POST payload, or "variable=value". In a GET request, the "body" would be the QUERY STRING; session means the value of the X-OpenPGP-Session header is also included in the signature.

Fingerprint of the public key. 40 bytes for a known key, 16 otherwise.

X-Auth-OpenPGP = true

Indicates the request has a good signature. You should not trust this value alone. It ONLY indicates the request's signature itself has been correctly verified, not that the request was actually been sent by the user. See HTTP.ReplayAttacks? for more details.

X-Auth-OpenPGP-KeyID = 025A4EB06857704D

ID of the Public Key used to sign the request. Basicly, the last 16 bytes of X-Auth-OpenPGP-Fingerprint.

X-OpenPGP-Session-Status = Valid

Can be one of three values: Valid, Invalid, Timeout. (TODO: Add more details. In the meantime, they are explained in mod_openpgp's source code).

For a known public key, these fields get added, which are self-explanatory:

More details on session-management:

mod_openpgp still needs some of this code polished/implemented, but the idea is that we have a mod_openpgp option to define if we want the client's IP address to be used as countermeasure for replay attack.

If it IS taken into account, then I think there's a very interesting approach for "Automatic IP Change Revalidation", that is, if the LEGIT user has his IP changed during a session, how can mod_openpgp tell the difference between a valid, but with a different IP, request, and an illegal (replayed by an attacker) one?

I think it could be something like this:

1) User begins session. Uses IP 1.2.3.4
2) User browses website. IP is still 1.2.3.4.
3) Suddenly, IP changes to 9.8.7.6. Next request to website is legal, but IP is different.
4) Server takes into account changes in IP. As the request looks valid (digital signature verifies).
It answers with a 302 HTTP Redirect to the SAME url, but with a special ##REVALIDATE_SESSION## anchor appended.
5) Enigform (in User machine) detects this session revalidation request, and requests a new session.
The new session code is obtained and replaces old one.
6) Request continues to same url, but is now auto-revalidated!